CVE-2022-29834: 
Mitsubishi Electric ICONICS GENESIS64 vulnerability analysis and mitigation

ICONICS GENESIS64 version 10.97.1 and prior contains a path traversal vulnerability (CVE-2022-29834) that allows remote unauthenticated attackers to access arbitrary files on the GENESIS64 server and disclose sensitive information stored in those files. The vulnerability was discovered in March 2022 and publicly disclosed in July 2022 (ZDI Advisory, CISA Advisory).

The vulnerability exists within the colorpalletes endpoint of GENESIS64. When parsing the path parameter, the process does not properly validate user-supplied paths prior to using them in file operations. This path traversal vulnerability has been assigned a CVSS v3 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high severity with network accessibility, low attack complexity, and no required privileges or user interaction (ZDI Advisory).

Successful exploitation of this vulnerability could allow attackers to disclose stored credentials and other sensitive information, potentially leading to further system compromise. The vulnerability specifically affects the file system access controls, allowing traversal outside of restricted directories on the GENESIS64 server (CISA Advisory).

ICONICS has released security updates to address this vulnerability. Users should update to GENESIS64 version 10.97.2 or later. Until updates can be applied, CISA recommends minimizing network exposure, placing control system networks behind firewalls, and isolating them from business networks. Additionally, users should restrict access to TCP ports and use secure remote access methods like VPNs when remote access is required (CISA Advisory).